Radar detection of "WEP or WPA-PSK active encryption attack"

  • 0
  • 2
  • Question
  • Updated 2 years ago
  • Answered
I have enabled the the in-service scan on one AP3825i access point to
test the Radar feature. Since I've enabled it at the morning the Radar reports  "WEP or WPA-PSK active encryption attack" in the log.

Based on my knowledge this could be caused by excessive FCS errors and other reasons. I discovered the same behavior during severals other tests at different locations. For me it looks like a false positive. The Wireless Statistic Report of the access point shows a large FCS Error Count on Radio 1 (5 GHz):



Anyone else has the same alarms?
Photo of Hartmut Sachse

Hartmut Sachse

  • 2,598 Points 2k badge 2x thumb

Posted 2 years ago

  • 0
  • 2
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,820 Points 5k badge 2x thumb
Hello Hartmut,

What version of Netsight are you using? I am running 7.0.4.29. When I look at this particular alarm in my console, it says "Cracking: Possible attack on WEP or WPA - Excessive frame receive errors". So it seems like it's an admission that it could be a lot of frame errors and not necessarily an attack.

I too get this alarm fairly often. Some sites more than others. I haven't yet investigated as to why. It might be an indication that the laptops wireless NIC's are lousy. Or that my coverage is lousy / congested.
Photo of Hartmut Sachse

Hartmut Sachse

  • 2,598 Points 2k badge 2x thumb
Sorry i forgot this infos. The V2110 running latest 9.21.11. Same behavior with older 9.21.x releases. Netsight version ist 6.3.0.182.

I think the problem goes in the direction you mention, but its big coincidence to see this on every AP3825i i tried Radar. If i find the time i will do a wireless trace to check for CRC errors and retry count. 
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,458 Points 50k badge 2x thumb
Is there any document/user manual available that describe the RADAR functionality in more detail.

The HiGuard manual was very good so I'd like to see something similar for RADAR - it's hard to sell a added feature without any technical knowledge about it.

I've found a document from 2014 v8.21 but I hope that there is something more current/accurate that also includes new APs.

Thx,
Ron
Photo of Christina M

Christina M, Alum

  • 1,728 Points 1k badge 2x thumb
Hi, Ronald! You can read about Wireless Radar for v9.21 here (see Chapter 16): http://documentation.extremenetworks.com/wireless/9.21/9034729-09_Wireless_User_Guide_v9.21.01.pdf

For the most recent release, here is the Radar chapter: http://documentation.extremenetworks.com/wireless/UG/Wireless/User_Guide/c_radar_overview.shtml
(Edited)
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,458 Points 50k badge 2x thumb
Thanks Christina,

I had a ticket (#01236555) open last week and a remote session with a GTAC engineer.

During the session I've asked the engineer to explain the part about collection engine configuration to me and even he got it wrong.

As I've mentioned in the ticket review the user manual is not clear/correct.

- missleading information about collection engine in HA mode
The manual indicate that you'd need only one / or could only have one BUT as soon as you enable collection engine in HA it's enabled on both of the pair, so it's not even possible to have only one CE in HA mode

- note "If an AP is part of a WDS/Mesh link, you cannot configure it to act as a scanner in Radar." = replace scanner with Guardian AP

I've stopped reading at that point as I don't want to confuse myself any further.
Would be great if someone could review the whole chapter.

Thanks,
Ron
Photo of Christina M

Christina M, Alum

  • 1,728 Points 1k badge 2x thumb
Thanks for your feedback. If you would, please submit this to the documentation team so the author can work with our engineers to fix the incorrect information in the documentation. It would also be good if the author can contact you directly, so please leave your email address in the feedback form.

From the http://documentation.extremenetworks.com/wireless/UG/Wireless/User_Guide/c_radar_overview.shtml  page, please click the Feedback link on the right.



Thanks!
(Edited)
Photo of Hartmut Sachse

Hartmut Sachse

  • 2,598 Points 2k badge 2x thumb
I think Ronald mean the old tech note for Radar feature introduced in version 8.21. This document include about the threats the WIDS/WIPS discover. In have one customer who asked for such an overview. Would be great if you include a updated version of this in the user guide.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,458 Points 50k badge 2x thumb
Sorry Hartmut because I've hijacked the thread with my post.
You are right that is exactly the document I mean :-)

@Extreme - I can't "sell" Radar to anyone without the information how it works.
The amount of "whitepapers" and othere technical material is VERY limited.

@Christina - Thanks but I think I've done enough - I've opened a GTAC ticket / I've wrote comments in the survey of the GTAC ticket and reported the issue here.
Photo of Ryan Mathews

Ryan Mathews, Alum

  • 8,988 Points 5k badge 2x thumb
Thanks for being vocal about this Ron.